Security researchers at SentinelOne have discovered that ReaderUpdate, a macOS malware loader platform that has been active since at least 2020, has significantly evolved with new variants written in multiple programming languages.
The malware, which previously went relatively unnoticed by many vendors, now includes versions written in Crystal, Nim, Rust, and most recently Go, in addition to the original compiled Python binary.
The Go variant, which has not been publicly reported until now, is a 4.5MB x86 binary that collects system hardware information to create a unique identifier for the victim.
It then establishes persistence by copying itself to the ~/Library/Application Support/ directory and creating a companion .plist file in the LaunchAgents folder to execute on login.
Sophisticated Obfuscation Techniques
The Go variant employs several obfuscation methods to evade detection, including randomized function names and string obfuscation through character substitution algorithms.
The malware assembles characters on the stack or uses simple substitution routines to hide critical strings such as C2 URLs and property list content.
SentinelOne researchers have identified nine samples of the Go variant connecting to seven unique domains, including airconditionersontop[.]com and streamingleaksnow[.]com.
These domains are part of a larger infrastructure that connects all ReaderUpdate variants.
Infection Chain and Potential Threats
ReaderUpdate infections typically begin with the malware being delivered through free or third-party software download sites, often via package installers containing fake utility apps.
Once installed, the malware reaches out to command and control servers and executes whatever remote commands the operators send.
While ReaderUpdate has primarily been associated with delivering Genieo (aka DOLITTLE) adware to date, security researchers warn that the loader has the capability to deliver more malicious payloads.
Its design is consistent with a loader platform that might be offered to other threat actors as Pay-Per-Install (PPI) or Malware-as-a-Service (MaaS).
All versions of ReaderUpdate are compiled solely for x86 Intel architecture, meaning they require Rosetta 2 to execute on Apple silicon Macs.
The malware has been observed in various locations on infected systems, including ~/Library/Application Support/printers/printers and ~/Library/Application Support/etc/etc, with corresponding persistence agents in the LaunchAgents folder.
Security experts emphasize that despite its current focus on delivering adware, compromised hosts remain vulnerable to any payload the operators choose to deliver, highlighting the importance of maintaining strong defensive measures against this evolving threat.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
